电气接口是简单的集电极开路总线,两端使用100波特UART定时发送字节(非常多)
我捕获了两端之间的通信,发现它们总是发送13字节的数据包,而最后一个字节似乎是是某种校验和。我相信我可以找出12字节有效负载中的哪个位置来找到温度设定点,开/关位等。但是,我无法弄清楚校验和的计算方式,如果我做的不正确,那么我将无法向A / C单元注入命令(除了重播已知的命令,该命令可能有效,但不能使我完全满意反向工程。)
下面,我已经复制了到目前为止捕获的数据包。显然,校验和不是CRC,因为通常将数据中的一位翻转会导致只将校验和中的一个或几个相邻位翻转。字节递增揭示了清晰的差异模式:-1 +3 -1 -5 -1 +3 -1 -21 -1 +3 -1 -5 -1 ...
上述序列是是由公式y =(x&0xAA)-(x&0x55)生成的,因此我认为它将以某种方式构成校验和算法的一部分。
我无法弄清楚总体来说,输入字节混合在一起了,这就是为什么我在这个论坛上请专家反向工程师。任何观察结果都是欢迎的,即使不是完整的解决方案也是如此。
该空调是Friedrich M09CJ,壁挂式“恒温器” DWC1可以与许多其他Friedrich空调对接,因此合理的猜测,它们也将使用相同的协议。
行号已在以后添加,不属于数据。
1 A8 00 00 00 00 00 09 17 00 00 00 00 9D
2 A8 00 00 00 00 00 09 18 00 00 00 00 9C
3 A8 00 00 00 00 00 09 19 00 00 00 00 9F
4 A8 00 00 00 00 00 09 1A 00 00 00 00 9E
5 A8 00 00 00 00 00 09 1B 00 00 00 00 99
6 A8 00 00 00 00 00 09 1C 00 00 00 00 98
7 A8 00 00 00 00 00 09 1D 00 00 00 00 9B
8 A8 00 00 00 00 00 09 1E 00 00 00 00 9A
9 A8 00 00 00 00 00 09 1F 00 00 00 00 85
10 A8 00 00 00 00 00 09 20 00 00 00 00 84
11 A8 00 00 00 00 00 09 20 00 00 40 00 44
12 A8 00 00 00 00 00 09 21 00 00 00 00 87
13 A8 00 00 00 00 00 09 22 00 00 00 00 86
14 A8 00 00 00 00 00 09 23 00 00 00 00 81
15 A8 00 00 00 00 00 09 23 00 00 40 00 41
16 A8 00 00 00 00 00 09 24 00 00 00 00 80
17 A8 01 00 00 00 00 09 23 40 00 80 00 C0
18 A8 01 00 00 00 00 09 24 40 00 80 00 C3
19 A8 02 00 00 00 00 09 1E 00 00 00 00 84
20 A8 02 00 00 00 00 09 20 00 00 00 00 86
21 A8 02 00 00 00 04 05 1E 00 00 00 00 84
22 A8 02 00 00 00 04 07 1F 00 00 00 00 81
23 A8 02 00 00 00 04 09 1F 00 00 00 00 83
24 A8 02 00 00 00 04 09 20 00 00 00 00 82
25 A8 02 00 00 00 04 0A 20 00 00 00 00 8D
26 A8 02 00 00 00 04 0E 1F 00 00 00 00 8E
27 A8 02 00 00 00 04 0E 20 00 00 00 00 89
28 A8 03 00 00 00 00 09 20 00 00 00 00 81
29 A8 03 00 00 00 00 0A 20 00 00 00 00 80
30 A8 03 00 00 00 00 0B 20 00 00 00 00 83
31 A8 41 00 00 00 00 01 00 40 00 80 00 FF
32 A8 41 00 00 00 00 01 1F 40 00 80 00 9C
33 A8 42 00 00 00 00 09 1F 00 00 00 00 47
34 A8 60 40 00 00 00 09 1F 00 00 00 00 25
35 A8 60 40 00 00 00 09 20 00 00 00 00 24
36 A8 60 40 00 00 00 09 21 00 00 00 00 27
37 A8 60 40 00 00 00 09 22 00 00 00 00 26
38 A8 60 40 00 00 00 09 23 00 00 00 00 21
39 A8 62 00 00 00 00 09 1F 00 00 00 00 67
40 A8 62 00 00 00 00 09 20 00 00 00 00 66
41 A8 62 40 00 00 00 09 20 00 00 00 00 26
42 A8 62 40 00 00 00 09 21 00 00 00 00 21
43 A8 62 40 00 00 04 09 1D 00 00 00 00 21
44 A8 62 40 00 00 04 09 1E 00 00 00 00 20
45 A8 62 40 00 00 04 09 1F 00 00 00 00 23
46 A8 62 40 00 00 04 09 20 00 00 00 00 22
47 A8 62 40 00 00 04 09 21 00 00 00 00 2D
48 C8 00 00 00 00 00 09 17 00 00 00 00 BD
49 C8 00 00 00 00 00 09 18 00 00 00 00 BC
50 C8 00 00 00 00 00 09 19 00 00 00 00 BF
51 C8 00 00 00 00 00 09 1A 00 00 00 00 BE
52 C8 00 00 00 00 00 09 1B 00 00 00 00 B9
53 C8 00 00 00 00 00 09 1D 00 00 00 00 BB
54 C8 00 00 00 00 00 09 1E 00 00 00 00 BA
55 C8 00 00 00 00 00 09 1F 00 00 00 00 A5
56 C8 00 00 00 00 00 09 20 00 00 00 00 A4
57 C8 00 00 00 00 00 09 21 00 00 00 00 A7
58 C8 00 00 00 00 00 09 21 00 00 40 00 67
59 C8 00 00 00 00 00 09 22 00 00 00 00 A6
60 C8 00 00 00 00 00 09 22 00 00 40 00 66
61 C8 02 00 00 00 00 09 21 00 00 00 00 A1
62 C8 02 00 00 00 04 09 20 00 00 00 00 A2
63 C8 03 00 00 00 00 09 20 00 00 00 00 A1
64 C8 03 00 00 00 00 09 21 00 00 00 00 A0
65 C8 03 00 00 00 00 09 22 00 00 00 00 A3
66 C8 03 00 00 00 00 0A 20 00 00 00 00 A0
67 C8 03 00 00 00 00 0A 21 00 00 00 00 A3
68 C8 03 00 00 00 00 0A 22 00 00 00 00 A2
69 C8 03 00 00 00 00 0C 20 00 00 00 00 A2
70 C8 03 00 00 00 00 0C 21 00 00 00 00 AD
71 C8 03 00 00 00 00 0D 21 00 00 00 00 AC
72 C8 03 00 00 00 00 0E 21 00 00 00 00 AF
73 C8 03 00 00 00 00 0F 20 00 00 00 00 AF
74 C8 03 00 00 00 00 0F 21 00 00 00 00 AE
75 C8 03 00 00 00 04 03 20 00 00 00 00 A7
76 C8 03 00 00 00 04 04 20 00 00 00 00 A6
77 C8 03 00 00 00 04 05 20 00 00 00 00 A1
78 C8 03 00 00 00 04 06 20 00 00 00 00 A0
79 C8 03 00 00 00 04 07 20 00 00 00 00 A3
80 C8 03 00 00 00 04 08 20 00 00 00 00 A2
81 C8 03 00 00 00 04 09 20 00 00 00 00 AD
82 C8 03 00 00 00 04 09 21 00 00 00 00 AC
83 C8 03 00 00 00 04 0A 20 00 00 00 00 AC
84 C8 03 00 00 00 04 0A 22 00 00 00 00 AE
85 C8 03 00 00 00 04 0B 20 00 00 00 00 AF
86 C8 03 00 00 00 04 0B 22 00 00 00 00 A9
87 C8 03 00 00 00 04 0C 20 00 00 00 00 AE
88 C8 03 00 00 00 04 0C 22 00 00 00 00 A8
89 C8 03 00 00 00 04 0D 20 00 00 00 00 A9
90 C8 03 00 00 00 04 0D 22 00 00 00 00 AB
91 C8 03 00 00 00 04 0E 20 00 00 00 00 A8
92 C8 03 00 00 00 04 0E 22 00 00 00 00 AA
93 C8 03 00 00 00 04 0F 20 00 00 00 00 AB
94 C8 03 00 00 00 04 0F 21 00 00 00 00 AA
95 C8 03 00 00 00 04 0F 22 00 00 00 00 55
96 C8 03 80 00 00 00 09 20 00 00 00 00 21
97 C8 23 00 00 00 00 09 1F 00 00 00 00 46
98 C8 23 00 00 00 00 09 20 00 00 00 00 41
99 C8 43 00 00 00 00 09 1F 00 00 00 00 66
100 C8 43 00 00 00 00 09 20 00 00 00 00 61
101 C8 60 40 00 00 00 09 1B 00 00 00 00 D9
102 C8 60 40 00 00 00 09 1C 00 00 00 00 D8
103 C8 60 40 00 00 00 09 1D 00 00 00 00 DB
104 C8 60 40 00 00 00 09 1E 00 00 00 00 DA
105 C8 62 40 00 00 04 09 1E 00 00 00 00 C0
106 C8 62 40 00 00 04 09 1F 00 00 00 00 C3
107 C8 63 00 00 00 00 09 1F 00 00 00 00 06
108 C8 63 00 00 00 00 09 20 00 00 00 00 01
109 C8 63 40 00 00 00 09 1F 00 00 00 00 C6
110 C8 63 40 00 00 04 09 1F 00 00 00 00 C2
111 C9 C4 D0 1F 80 31 00 40 02 00 00 00 3A
112 CA 00 00 00 00 00 00 00 00 02 F1 21 8B
113 CB 00 00 FF FF 70 00 00 00 00 00 00 6C
114 CB 00 00 FF FF 7C 00 00 00 00 00 00 10
115 CB 00 00 FF FF 7D 00 00 00 00 00 00 13
#1 楼
您似乎和问这个问题的人一样使用空调。将字节0-11,xor与0x55相加得到字节12。同样的事情。评论
谢谢,就是这样。我的空调是Friedrich M09CJ,壁挂式“恒温” DWC1可以与许多其他Friedrich空调连接,因此可以合理地猜测它们也将使用相同的协议。
– Jes Klinke
16年5月5日,0:26
我已经对问题进行了编辑,以包括空调单元的品牌和型号。
– Jes Klinke
16年5月5日,0:31
评论
通常,我将投票结束这个问题,作为#8429的副本。但是,由于此问题比另一个问题具有更多的内容,并且如果OP包含空调单元的品牌/型号名称,这个问题可能会变得更好,我想我们应该关闭另一个问题,作为另一个重复,即使另一个问题是更老。